Thousands of Microsoft Exchange servers are still vulnerable to this dangerous flaw

Security attack
(Image credit: Shutterstock / ozrimoz)

Tens of thousands of Microsoft Exchange servers are still vulnerable to a high-severity flaw used in ProxyNotShell exploits, researchers have warned.

Cybersecurity researchers Shadowserver Foundation said almost 70,000 IPs were vulnerable to CVE-2022-41082, a remote code execution (RCE) vulnerability patched in early November last year.

At press time, Shadowserver’s data are showing at least 57,000 vulnerable IPs, although the information comes with a disclaimer that results were “calculated by summing counts of unique IPs, which means that a “unique” IP may have been counted more than once”. 

Mitigations and patches

“Any figures should be treated as indicative rather than exact,” Shadowserver said - however declining figures could be an indication of a positive trend. 

There are two high-severity vulnerabilities that were dubbed ProxyNotShell - the abovementioned CVE-2022-41082, and CVE-2022-41040, an elevation of privilege flaw that was also patched in early November. The affected endpoints include Exchange Server 2013, 2016, and 2019.

While there are mitigations available, researchers are urging IT pros to apply the patch instead, as the mitigations can be worked around. One report from BleepingComputer saw ransomware operators using a newly-discovered exploit chain to bypass certain ProxyNotShell mitigations and execute malicious code remotely on target devices. 

Exchange servers are valuable to hackers, and as such are often targeted. For example, the infamous LockBit group was recently caught deploying malware via compromised Exchange Servers. Last summer, two servers belonging to one company were infected with LockBit 3.0. As per the report, the attackers first deployed web shell, then escalated privileges to Active Directory admin a week later, stole some 1.3 TB of data, and encrypted systems hosted on the network.

Late last year, researchers uncovered a malicious campaign attempting to exploit the already-fixed ProxyShell vulnerability in Microsoft Exchange, too. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Latest in Security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Latest in News
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000
Assassin's Creed Shadows
Ubisoft shareholder accuses publisher of 'misleading investors', plans protest outside Paris HQ
Google Gemini AI logo on a smartphone with Google background
I made an AI version of Bilbo Baggins using Goggle Gemini for free, and shared a pipe with him outside Bag End – here’s what you can now do with Gems
Nicole Kidman wears a blue blouse with her arms crossed.
Netflix might be renewing The Perfect Couple and Beauty in Black for season 2, but I don’t get why when it’s canceled shows with poorer ratings
The Russo brothers posing for a photograph and Herman carrying a Volkswagen camper van in The Electric State
'We're optimists': AI enthusiasts Joe and Anthony Russo defend its use in movies and TV shows, but admit there are 'very real dangers' around its application
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants